What is a virtual CISO (vCISO) and when is it advisable to hire their services?Rosario
Today, security is a critical concern for organizations in almost every industry due to its complexity and rapid evolution. Threats and vulnerabilities to information protection are increasing, and companies continue to struggle with regulations and the evolving security landscape. In this context, the role of a chief information security officer (CISO) is to establish and maintain the organization’s strategy and execution to protect its sensitive and valuable information assets and surrounding technologies.
But many organizations, even though they have data that needs protection, choose to use a virtual CISO (vCISO) to address the needs of the CISO role instead of hiring one internally.
What is the role of the virtual CISO?
The vCISO is a security professional who uses the culmination of their years of cybersecurity and industry experience to help organizations develop and manage the implementation of the organization’s information security program. At a high level, vCISOs help design the organization’s security strategy, and some also help manage its implementation. Internal security staff may still exist, either reporting to or working with the vCISO and his or her team to execute an impactful security program. In addition, the vCISO is generally expected to be able to present the organization’s information security status to an organization’s board, executive team, auditors or regulators.
The vCISOs can provide added value to organizations by assisting with a number of aspects of the overall information security program, including:
- Information security planning and management activities.
- Organizational and management structure
- Initiatives affecting information practices
- Security risk management activities
- Assessment of third parties with access to organizational data
- Coordination of audits by regulators or customers.
Why are vCISOs becoming more popular?
The idea of a virtual CISO has grown in demand among organizations for several reasons:
- CISOs are in demand: with the increase in cyber attacks, data breaches, sophistication of attacks, and an organization’s information-centric focus, organizations that want to implement a comprehensive set of controls and technologies need a CISO. A vCISO enables an organization to quickly fill a vCISO role, without having to go through the hiring process.
- CISOs come at a high price: a vCISO allows organizations to avoid the expense of hiring a full-time in-house CISO, paying only for services and time spent.
- vCISOs may have more experience: a vCISO has implemented information security programs for many customers in a diverse set of industries and sizes, giving them a wide range of expertise that can be applied to your organization.
- vCISOs can be anywhere: instead of having to hire someone locally (which limits your options) or having to help pay for a candidate’s move, vCISOs work as consultants, working from almost anywhere, giving the organization exposure to more potential candidates.
- vCISOs are a consumption-based option: while not all vCISOs work the same, this is a contractor that will perform tasks based on an agreed-upon scope of work.
Use cases for a vCISO
While the choice between an onsite or virtual CISO may not be clear, here are some possible use cases where a vCISO may be an excellent choice:
- Hiring a new full-time CISO: The departure of a company’s existing CISO may be ill-timed with respect to current security initiatives. This is where an experienced vCISO can come in, provide value by reviewing the current cybersecurity strategy and helping to recruit, select and transition to a full-time CISO.
- Working with a mature cybersecurity product for a smaller organization: while a full-time CISO is very expensive for an SMB, a vCISO can work part-time to provide enterprise-caliber expertise and work with security tools that the organization would otherwise not be able to work with.
- Creating a compliance program: Organizations with or without a CISO often do not have the expertise in a specific compliance mandate, or how it translates into creating policies and processes to secure protected information. A vCISO specializing in a given compliance regulation can help develop a strategy and implementation plan that meets specific mandates.
- Realigning cyber spend: whatever an organization was doing 6 months ago to protect against cyber risk is probably not as effective today. A vCISO can help organizations of all sizes by understanding the current budget, how it is spent, and help identify ways to spend it more effectively and efficiently to create a more secure posture.
CISO vs vCISO: Which one should I choose?
If you have valuable and sensitive information in your environment, you need some kind of information security program. And that means you need someone at the helm to drive the program and drive the vision, strategy and implementation to meet the organization’s information security objectives. The question of whether to hire a CISO or a vCISO really comes down to the organization’s strategy (e.g., they want someone long-term who is focused solely on their organization, so a CISO is the right choice), as well as any constraints (such as lack of budget).
If you’re not sure what the right choice is, you could start with a vCISO to start with the groundwork and see if there is internal support from the executive team or board to implement a proper information security program. And then, if necessary, work to hire a full-time CISO to complete the work.